Здравствуйте!
In this post, we will look at the first way to escalate privilege in Active Directory, which is the most difficult way launch an Active Directory Security Privilege Escalation attack.
This way involves guessing the target user’s password, or cracking the target user’s password (; cracking refers to the process of recovering a user’s password that has been stored in or transmitted by a computer.)
Since most Active Directory deployments use basic security protections like Account Lockout, only amateurs use password guessing as a means to obtain an domain user account’s password. Also, because most AD deployments also have basic auditing in place, amateurs using password guessing are very likely to get caught in the act.
So, since password guessing is virtually not a realistic option in a decently protected Active Directory (and because its for amateurs) I will bypass it and talk about more interesting password cracking approach to get to a domain user account’s password.
The main tool used for password cracking is a tool called L0phtCrack, now in version 6. L0PhtCrack is primarily a password cracking tool and has five main ways in which it cracks passwords –
- UserName Crack - L0phtCrack 6 checks to see if any accounts have used the username as a password. This crack is performed in every audit.
- Dictionary Crack – L0phtCrack 6 tests all the words in a specified dictionary file against the password hashes. The dictionary crack tries words up to the 14 character length limit.
- Hybrid Crack – L0phtCrack will modify existing dictionary words to generate additional password attempts, based on dictionary words slightly modified with additional numbers and symbols.
- Precomputed Crack – L0phtcrack will compare user password hashes with pre-computed password hashes specified in a hash-file.
- Brute Force Crack - L0phtcrack will attempt every combination of characters it is configured to use to attempt brute-forcing of password.
Now for launching a Active Directory Security Privilege Escalation attack, L0phtCrack 6 can be used to get the clear-text password of any domain user account, such as those of Domain/Enterprise Admins, and once you know their passwords, you can login as them and by doing so you escalated your privilege in Active Directory.
But did you really escalate privilege? Or did you just show that you don't know much about Windows Security?
Here’s what I mean - To use L0phtCrack 6 to crack domain user account passwords, you need administrative privileges on a Domain Controller (DC), but if you already have administrative privileges on a DC, you are already are a God-like administrator, but if you don’t already know that, you don’t know much about Windows Security.
Note: L0phtCrack6 has a new capability called Remote Password Retrieval, but if you read the documentation, it clearly states that a) you need Administrator Privileges on the remote Domain Controller, specifically the Debug Privilege, and b) the machine also needs to be able to be remotely administered.
Anyway, many default builtin groups in Active Directory, such as Server Operators, Backup Operators and Print Operators already have administrative privileges on Domain Controllers, so technically any member of any of these groups could use L0phtCrack to obtain access to hashes and then get to clear-text passwords.
But like I mentioned earlier, members of these groups already has enough power to be a Domain Admin, but if they don’t know that, it is their ignorance, and there’s no greater risk than having ignorant administrators who possess God-like privileges.
However, if someone who has managed to get administrative access on a Domain Controller, but has no idea that they now already have God-like Power or have no idea how to use it, then L0phtCrack can certainly help them find out the password of a Domain Admin, so they can then login as a Domain Admin.
So, if you can manage to get administrative access on a Domain Controller, and have no idea that you already have God-like powers, here is how to use L0phtCrack 6 to escalate your privilege in Active Directory –
How to Escalate Privilege in Active Directory by Using L0phtCrack
Step 1- Configure L0phtCrack Session Options
You should first specify the set of Session Options for L0phtCrack 6 to use.
I highly recommend referring to the product manual for the details, as it can impact how long the cracking process will take and what resources it will use.
Step 2 – Obtaining a copy of the Password Hashes from Active Directory
- Launch the L0phtCrack Wizard
- If you are logged in on a DC, select Retrieve from the Local Machine, otherwise select Retrieve from a Remote Machine
- Choose an auditing method. Select from amongst – Quick Password Audit, Common Password Audit, Strong Password Audit, or Custom
- Pick a Reporting Style. Options include Display passwords when audited, Display encrypted password ‘hashes’, Display how long it took to audit each password, Display auditing method, and Make Visible Notification when auditing is done.
Step 3 – Cracking Active Directory Domain User Account Password Hashes
- Click on Finish to begin cracking Active Directory Domain User Account Password Hashes
That is all you need to so. Once L0phtCrack6 has done its job, if everything goes fine, you should be able to see the password(s) of one or more Domain Admins in your Active Directory.
Once you know the password of a Domain Admin account, you can use it to login as the Domain Admin. Once logged in as a Domain Admin, what you do with that power is limited only by your expertise. (Some of our comrades can bring entire network down in minutes.)
There are other password cracking tools available as well such as John the Ripper, pwdump7 and others, but they all require administrative privileges to begin with, so they cannot strictly be used to elevate security privileges in Active Directory or Windows.
L0phtCrack Download, Trial and Additional Info
For additional info and to download free L0phtCrack 6 trial, click here.
In the next post, we’ll see how to use a real way to Escalate privilege in Active Directory via the use of Password Hashes.
Спасибо
No comments:
Post a Comment